Responsible disclosure policy

Invokely publishes enough information to support an informed decision without publishing instructions that make a finding easier to exploit.

Public findings show category and severity

A public server page may show the finding category, severity, measurement date, and affected scope. It does not show exploit steps or sensitive evidence.

Exploit evidence stays private

Payloads, reproduction steps, credentials, raw traces, and evidence that could expose customer or server data remain available only to authorized Invokely staff, verified owners, and authorized Guard organizations.

Owner notice and correction

When we can verify an owner contact, we send the finding privately with enough evidence to review it. The verified owner can submit a correction, clarify the affected scope, or request a new measurement.

Correction window

The standard correction window is 14 days from verified owner notice. We may disclose sooner when delay would increase active harm, and we record why the shorter window was necessary.

Corrections and takedown requests

Email security@invokely.ai with the server URL, report URL, your relationship to the server, and the correction or removal requested. Do not send live credentials.

Email security@invokely.ai

This policy does not authorize third-party testing

A listing or report on Invokely does not give you permission to test that server. Obtain explicit authorization from the system owner before testing any third-party endpoint.

Report a vulnerability in Invokely

If you believe Invokely has a security vulnerability, email security@invokely.ai with the affected URL, observed behaviour, and a minimal reproduction. Remove personal data and credentials from the report.

Report an Invokely vulnerability